Majority of APAC firms pay up in ransomware attacks

Despite expert advice against paying up, most victims of ransomware attacks in the region, including 88% in Australia and 78% in Singapore, have paid the ransom in full or in part, and the number of such attacks is only going to keep climbing amidst accelerated digital transformation efforts and remote work.

A majority of businesses across the Asia-Pacific region are choosing to pay up after falling victim to ransomware attacks, with 88% in Australia and 78% in Singapore, respectively, forking out the ransom in full or in part. And such attacks are expected to continue to increase amidst accelerated digital transform efforts and remote work, as organisations evolve to cope with the global pandemic. 

Some 45% of enterprises in Singapore would take between five and 10 days to recover fully from a ransomware attack, compared to 11% in India and 35% in China, according to Veritas' 2020 Ransomware Resiliency Report released Tuesday night. Conducted by Wakefield Research in September, the global study polled 2,690 senior IT executives from companies with at least 1,000 employees, including 150 respondents each from six Asia-Pacific markets, including Japan and South Korea.

And while 39% in India said they would need fewer than five days to fully recover from a ransomware attack, another 36% in the country said they needed more than a month to do so -- the highest number across the region. Just 1% in Singapore said they would need more than a month to recover completely from such attacks, as did 2% in Australia and 8% in China. 

Global pandemic opening up can of security worms

Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.

Read More

Furthermore, 1% in Australia as well as in South Korea said they would not be able to recover fully from a ransomware attack, along with 7% in China. Worldwide, 2% said they would be unable to do so. 

Upon experiencing a ransomware attack, 62% in China paid the ransom in full or in part, while 77% in India and 57% in Japan did likewise. Another 69% in South Korea paid the ransom in full or in part. 

The study also revealed that, across the board, companies managing greater complexity in their multi-cloud infrastructure were more likely to pay the ransom to reclaim their hijacked data, with the number that did so in full running a mean number of 17.11 cloud services. 

In addition, 20% of companies operating fewer than five cloud platforms paid a ransom in full, compared to 30% with more than 20 cloud platforms.

The complexity of having to operate cloud architectures also had a significant impact on the organisation's ability to recover following a ransomware attack, according to Veritas. Some 44% of businesses with fewer than five cloud providers in their infrastructure needing fewer than five days to recover, compared to 12% with more than 20 providers doing likewise. 

And while 49% of businesses with fewer than five cloud providers could restore 90% or more of their data, only 39% of their peers running more than 20 cloud services were able to do likewise. 

In Singapore, 49% said their security had kept pace with their IT complexity. Their counterparts in India, at 55% were most confident amongst other in the region about their security measures keeping pace with their IT complexity. Just 31% in China said likewise, along with 36% in Japan, 39% in South Korea, and 43% in Australia. 

Ransomware attacks on an upward trajectory

With ransomware attacks expected to continue to increase amidst accelerated digital transformation efforts and the normalisation of remote work, enterprises in the region will need to ensure they can detect and recover from such attacks. 

Andy Ng, Veritas' Asia-Pacific vice president and managing director, underscored the security vendor's recommended three-step layered approach to detect, protect, and recover.  

Speaking to ZDNet in a conference call, Ng said: "We always advise companies not to pay because doing so leave them more open to being attacked again. The best step forward is to have a sound data protection and recovery strategy. It will mean every copy of data you have is backed up and protected, including keeping it offsite. If you have three copies of the data, and the ability to recover quickly, you won't be held ransom because you'll always have access to the data."

He noted that the global pandemic had left companies more susceptible to cyber attacks, as they rushed to digitalise their operations and equip their employees to work remotely. Digital transformation efforts had been fast-tracked, from 18 months to three months, and companies were grappling with having to manage data across many diverse sources as they deployed multi-cloud hybrid IT infrastructures, he said. 

Pointing to the human as the most vulnerable component within an organisation, Ng said malicious hackers could now target a wider spread of end-point client devices. He revealed that a Veritas customer in the professional services sector had their network compromised after it embarked on a work-from-home model and rushed to distribute laptops and tablets to their employees, leaving some devices without proper data protection. 

He added that there had been an increase of ransomware attacks against manufacturing companies in the last two to three years and, more recently, professional services companies. 

Singapore government must realise human error also a security breach

Latest data breach involving a government agency may have been the result of human error, but it should still be deemed a security breach and treated as a risk that needs to be addressed, rather than dismissed.

Read More

While healthcare and financial services sectors were expected targets, he noted that these sectors typically were more heavily regulated and had to comply with strict guidelines laid out by their local authorities. As such, he was seeing fewer ransomware attacks involving these organisations here. 

Large enterprises, though, increasingly were hot targets because their deeper pockets meant ransom demands and returns could potentially be higher for hackers, he said.

ZDNet asked how efforts by governments such as Singapore to ease data access to facilitate business transactions could impact the ransomware landscape in Asia-Pacific. Ng noted the "fine balance" of having to drive digital transformation, under certain market pressures such as COVID-19, and securely manage data in the organisation's own data centres as well as across its cloud providers' platforms. 

"As companies digitalise, the resiliency gap will only get wider," he said, adding that the Singapore government already was working to address this. "It's not easy because the ransomware [challenge] is not going to go away."

"The unique security challenges posed by increased multi-cloud adoption combined with an ever-changing threat landscape requires proactive measures put in place for prevention and mitigation," Ng said in the report. "It is imperative for companies deploy corresponding data protection solutions to close that resiliency gap in order to protect increasingly valuable digital assets."

Citing Veritas' own research, he noted that 42% of companies had been hit by at least one ransomware attack in the last two years. 

According to the Ransomware Resiliency Report, 15% of Indian organisations had experienced more than five ransomware attacks while 31% saw between three and five such attacks. Some 13% in Singapore had experienced one ransomware attack, while 9% reported between three and five such attacks.

To help companies plug any gaps in their IT infrastructure, Ng suggested that governments should introduce similar regulations that have been implemented for healthcare and financial services in other sectors such as manufacturing, which were increasingly under fire from ransomware attacks. 

"That's an area governments can play a more proactive role, in defining what's bare minimum for companies in manufacturing, for instance," he said. 

RELATED COVERAGE